Krebs on Security

In-depth security news and investigation

Security Firm Redefines APT: African Phishing Threat

A security firm made headlines earlier this month when it boasted it had thwarted plans by organized Russian cyber criminals to launch an attack against multiple US-based banks. But a closer look at the details behind that report suggests the actors in question were relatively unsophisticated Nigerian phishers who’d simply registered a bunch of new fake bank Web sites.

The report was released by Colorado Springs, Colo.-based security vendor root9B, which touts a number of former National Security Agency (NSA) and Department of Defense cybersecurity experts among its ranks. The report attracted coverage by multiple media outlets, including, Fox News, Politico, SC Magazine and The Hill. root9B said it had unearthed plans by a Russian hacking gang known variously as the Sofacy Group and APT28. APT is short for “advanced persistent threat,” and it’s a term much used among companies that sell cybersecurity services in response to breaches from state-funded adversaries in China and Russia that are bent on stealing trade secrets via extremely stealthy attacks.

The cover art for the root9B report.

“While performing surveillance for a root9B client, the company discovered malware generally associated with nation state attacks,” root9B CEO Eric Hipkins wrote of the scheme, which he said was targeted financial institutions such as Bank of America, Regions Bank and TD Bank, among others.

“It is the first instance of a Sofacy or other attack being discovered, identified and reported before an attack occurred,” Hipkins said. “Our team did an amazing job of uncovering what could have been a significant event for the international banking community. We’ve spent the past three days informing the proper authorities in Washington and the UAE, as well as the CISOs at the financial organizations.”

However, according to an analysis of the domains reportedly used by the criminals in the planned attack, perhaps root9B should clarify what it means by APT. Unless the company is holding back key details about their research, their definition of APT can more accurately be described as “African Phishing Threat.”

The report correctly identifies several key email addresses and physical addresses that the fraudsters used in common across all of the fake bank domains. But root9B appears to have scant evidence connecting the individual(s) who registered those domains to the Sofacy APT gang. Indeed, a reading of their analysis suggests their sole connection is that some of the fake bank domains used a domain name server previously associated with Sofacy activity: carbon2u[dot]com (warning: malicious host that will likely set off antivirus alerts).

The problem with that linkage is although carbon2u[dot]com was in fact at one time associated with activity emanating from the Sofacy APT group, Sofacy is hardly the only bad actor using that dodgy name server. There is plenty of other badness unrelated to Sofacy that calls Carbon2u home for their DNS operations, including these clowns.

From what I can tell, the vast majority of the report documents activity stemming from Nigerian scammers who have been conducting run-of-the-mill bank phishing scams for almost a decade now and have left quite a trail.

For example, most of the wordage in this report from root9B discusses fake domains registered to a handful of email addresses, including “adeweb2001@yahoo.com,” adeweb2007@yahoo.com,” and “rolexzad@yahoo.com”.

Each of these emails have long been associated with phishing sites erected by apparent Nigerian scammers. They are tied to this Facebook profile for a Showunmi Oluwaseun, who lists his job as CEO of a rather fishy-sounding organization called Rolexzad Fishery Nig. Ltd.

The domain rolexad[dot]com was flagged as early as 2008 by aa419.org, a volunteer group that seeks to shut down phishing sites — particularly those emanating from Nigerian scammers (hence the reference to the Nigerian criminal code 419, which outlaws various confidence scams and frauds). That domain also references the above-mentioned email addresses. Here’s another phishy bank domain registered by this same scammer, dating all the way back to 2005!

Bob Zito, a spokesperson for root9B, said “the team stands by the report as 100 percent accurate and it has been received very favorably by the proper authorities in Washington (and others in the cyber community, including other cyber firms).”

I wanted to know if I was alone in finding fault with the root9B report, so I reached out to Jaime Blasco, vice president and chief scientist at AlienVault — one of the security firms that first published the initial findings on the Sofacy/APT28 group back in October 2014. Blasco called the root9B research “very poor” (full disclosure: AlienVault is one of several advertisers on this blog).

“Actually, there isn’t a link between what root9B published and Sofacy activity,” he said. “The only link is there was a DNS server that was used by a Sofacy domain and the banking stuff root9B published. It doesn’t mean they are related by any means. I’m really surprised that it got a lot of media attention due to the poor research they did, and [their use] of [terms] like ‘zeroday hashes’ in the report really blew my mind. Apart from that it really looks like a ‘marketing report/we want media coverage asap,’ since days after that report they published their Q1 financial results and probably that increased the value of their penny stocks.”

There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.

This entry was posted on Wednesday, May 20th, 2015 at 12:32 am and is filed under A Little Sunshine.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

47 comments

For what it’s worth Brian, I’m with you and Jaime on this one and if I had to guess I’d say any of your regular readers would likely agree as well.

While there is certainly a ton of great talent coming out of the various government entities it’s important to keep in mind that the resume alone is not indicative of superior business practices. There are plenty of us within the private and research sector’s with much more knowledge and experience 😉

“I’m really surprised that it got a lot of media attention due to the poor research they did,…”

Why is he really surprised? This is typical of today’s reporting in popular media: a “journalist” with very little idea about the topic they’re writing on paraphrases a press release with no additional checking or research. This happens often and repeatedly so I really do not know why he’s surprised.

I guess the fact that it could be seen as somewhat supportive of Washington’s “cyberwar” stupidity in that it provides more justification and that it apparently has former high level gov workers putting out this rubbish is another alarm bell as well.

root9B mentions, …”the malicious code bore specic signatures that have historically been unique to only one organization, Sofacy”. However, I see no other public correlation of the malware hashes to Sofacy.

The same so-called experts that are perfectly happy to insure the bad guys build (and get well paid) all the computer equipment that gets used all over the world. It’s like the spys that spend all their time watching other spy that themselves are watching spys. While the population and the worlds businesses all get caught in the middle (without ever realizing it). Is it any wonder there are back doors into things?

I have absolutely no reason to trust anything from any of these people at all. None of them can tell the difference between their own 1’s from 0’s in the ground. I’m alot more likely to be forced into spending alot more time protecting myself from these experts and their policies.

Oh yeah….one other thing…..

Thanks Brian but I’m not very likely to get my cyber-security tips from the Politico.

I live in Colorado Springs and we have a strong ISSA chapter here. I have never heard of this company. Looking at their website at their many “offices” really casts doubt, especially when they evidently have less than 50 employees.

I think the security services market much like the general internet news machine is getting so over crowded that the quality of many of the sources and organizations goes down as a result. More and more it’s up to the individual to decide on the validity and authoritativeness of the sources / product in question.

This I believe is expected behavior any time there is a lot of money flowing around a sector and it’s hot as Information Security is right now.

BK I think you either the best or one one of the best reporters out there, and I’m sure that doing the high quality work you do takes a lot of time and effort.

These days a PR stunt can work just as easily as it fails, the only issue is when you go for major exposure like these guys did, if you take shortcuts or are less then truthful it can back fire in a huge way. Now they maybe looked on in a worse light then if they hadn’t released this information.

One security issue I can see with all the over-hyped PR and how easily people are spoofed is that an intentionally false PR statement could cause havoc in the financial markets and we can need a better way to authenticate these types of intentionally malicious releases.

Now that the whiz kids at root9B have unmasked this Threat to Western Civilization, I am starting to get spams which purport to be from a bank in Mali. Next stop for the root9B investigators. I wonder if the Nigerian princes have emigrated yet.

“There is an old adage: If the only tool you have is a hammer, you tend to treat everything as if it were a nail. In this case, if all you do is APT research, then you’ll likely see APT actors everywhere you look.”

Yes, too true, but that doesn’t mean that it’s not good to be looking for APT! I really liked this white paper based on the Gartner Security Summit that discusses *all* the things that people should be looking at and thinking about related to security: http://bit.ly/1byhygd

I co-authored one of the Sofacy/APT28 reports that Jaime referenced in his accurate summary in October. He wasn’t the only one to laugh at the root9b report, particularly with respect to the “zero-day hashes”.

Unfortunately incompetent reports are being rewarded, and it’s great to see Krebs and others starting to call them out.

Brian, please follow up – it’ll either hopefully show that these guys were correct but don’t write detailed and accurate, well-researched reports, or that they are just as guilty as the Nigerian scammers for posting empty or false PR just before Q1 earnings news with hopes of increasing their valuation.

As for Stephen H’s comment below on the SEC question, I too wonder about that…

I would love to see how they justify their claim on there website,”root9B is a leading provider of advanced cybersecurity services and training for commercial and government clients.” Who defined them as a leader and in what way. Doubt they own a larger market share than 50% of their competition or have been rated better than 50% of their competition by reputable independent security sources. If neither exist, then that is a false claim. Sorry, but I just hate how everyone defines themselves as a leader in something for marketing purposes (and usually pays someone to rank them that way so they can throw something up on their website – ranked best security company by Bob’s BBQ and Outdoor Grill of Bumf- WV).

If it were true he could, which is why I think there may be more to this than Brian “Krebspersky” knows. Grano is worth a whole lot more than the 50k or so Brian accuses him of making in his “pump and dump” accusation. Why would anyone worth tens of millions risk jail time over $50k? And have you seen the board of directors? Do you think William Webster would associate with a company guilty of what Brian alleges? Does anyone here think for themselves? Or is this a site for lemmings blinded by the Krebslights?

Granted there are some talented folks coming out of the public sector so this is not directed at them, but I have been seeing quite a bit of cognitive bias lately with these types of attribution attempts and their methodologies demonstrated in their reports. The most shocking part is that anyone from the public sector who is appropriately trained in the trade craft of intelligence should be thoroughly competent in applying ACH (analysis of competing hypothesis) before they feel so certain about the accuracy of their work.

Hate to say it I’m starting to think that there should be regulation on lemon security companies and delivery of false information and shoddy products.

“Most troubling is the 44% decline reported in root9B’s cyber segment. Management has billed this segment as being the growth engine (despite representing only 7% of total revenue on a pro forma basis) for the company going forward. However, this segment produced the largest decline in revenue. Verbiage in the 10-Q attributes this to lengthening sales cycles.”

An interesting article, and nice that we were mentioned (despite that we are aa419.org).

This is slightly off-topic, but I feel I should add a bit of input from our organization. I personally go through hundreds of fake bank domains each week (as an anti-fraud volunteer) and would like to clarify an often misunderstood area here.

Fake bank domains (the typical West African fraudster type) can be set up and used for three things. Phishing, 419 websites, and 419 emails.

Phishing – While there are some being used for phishing, it is far more common to see phishing sites created which spoof email and social media logins rather than impersonating banks. It happens, but it’s not happening that often at all.

Websites – In some cases, these fake bank domains will have content on a website set up to look like the legitimate bank being impersonated. This is NOT typically used for phishing. A fake bank site set up to look like a real bank site and being used for 419 fraud is meant to trick the victim into believing they are dealing with the real bank. In many cases, there is an “online banking” login. This is NOT phishing. The site owner (scammer) will create the login infomation so that the victim can login and be fooled into believing he really has $2 million in his Barclays/Bank of America/[Insert Bank Name Here] account. When the victim sees what looks like a real bank website, and can then login and see all this “money” in his “account”, the scammer can have an easier time extracting more of the “fees” from the victim to have to pay for the non-existent money. Classic 419 fraud. Again, most often this is NOT phishing, and something that is often misunderstood.

Emails – What is most often the case with newly registered domains copying legitimate banks, is for them to simply be used for email purposes. Many of the scammers are too lazy to bother setting up content on a website. The will register a domain copying a bank, and then use it for sending emails to victims. This is a made-up example, but emails will come from something like bankmanager@barclaysbnkuk.net – again, not for phishing, just to lend credibility to the scam. The victim can be fooled into believing they are dealing with a representative from the real bank, etc…

In any case, carry on. Just wanted to give my input on what the fake bank domains are actually being used for.